Escolar Documentos
Profissional Documentos
Cultura Documentos
Gary Day
2005 Cisco Systems, Inc. All rights reserved. Version 2.0 Oct-2005
Cisco Confidential
Customer Requirements
IP Intranet
IP Extranet
Remote Offices
Multimedia
The Barriers
Frame Relay and ATM services are available: They provide connectionoriented service They have inflexible point-topoint bandwidth guarantees But they have good privacy
Carriers customers want IP services: They need connectionless IP services They need more flexible IP quality of service guarantees They need more privacy than the Internet provides
6
MPLS Concepts
MPLS concepts
Packet forwarding is done based on labels Labels assigned when the packet enters the network Labels inserted between layer 2 and layer 3 headers MPLS nodes forward packets based on the label Separates ROUTING from FORWARDING
Routing uses IP addresses Forwarding uses Labels
MPLS Capabilities
10
Traffic Engineering
Force traffic along predetermined paths
11
Put routers around the edge of an ATM network Connect routers using Permanent Virtual Circuits This does not provide optimal integration of IP and ATM
MPLS Training - Basic 12
Secure support for intranets and extranets Easy to provide Intranet/Extranet/ 3rd Party ASP Support over any access or backbone technology
Determines VPN on PE Router
VPN A
VPN B
VPN C
VPN A
Determines PE Router
IP Packet
MPLS Training - Basic
VPN Label
IGP Label
13
14
Reduced costconsolidate multiple core technologies into a single packet-based network infrastructure Simpler provisioning of L2 services Attractive to Enterprise that wish keep routing private
Determines VC inside the tunnel
L2 Frame
MPLS Training - Basic
VC Label
Tunnel Label
15
Traffic Engineering
Why traffic engineer?
Optimise link utilisation Specific paths by customer or class Balance traffic load
Route chosen by IP routing protocol Route specified by traffic engineering
Traffic follows pre-specified path Path differs from normally routed path Controls packet flows across a L2 or L3 network
Determines LSP next hop contrary to IGP
IP Packet
MPLS Training - Basic
VPN Label
IGP Label
TE Label
16
MPLS Components
17
MPLS Components
Edge Label Switching Routers (ELSR or PE)
Label previously unlabeled packets - at the beginning of a Label Switched Path (LSP) Strip labels from labeled packets - at the end of an LSP
18
MPLS Components
CE PE LSR P LSR PE CE
ELSR
ELSR
ELSR
ELSR
LSR
LSR
19
Functional Components
Forwarding component:
Uses label information carried in a packet and label binding information maintained by a Label Switching Router to forward the packet
Control component:
Responsible for maintaining correct label binding information among Label Switching Routers
20
Forwarding Component
Label Forwarding Information Base (LFIB) Each entry consists of:
incoming label outgoing label outgoing interface outgoing MAC address
LFIB is indexed by incoming label LFIB could be either per Label Switching Router or per interface
21
Forwarding Component
IOS Label Forwarding Code is based on Cisco Express Forwarding (CEF)
Maintenance of label rewrite structures in LFIB Recursive route resolution IP to label switching (label imposition) path
22
Forwarding Component
Forwarding algorithm:
Extract label from a packet Find an entry in the LFIB with the INCOMING LABEL equal to the label in the packet Replace the label in the packet with the OUTGOING LABEL (from the found entry) Send the packet on the outgoing interface (from the found entry)
23
Label
Can be used over Ethernet, 802.3, or PPP links Ethertype 0x8847 Four octets per label in stack
24
Label Encapsulation
Packet over SONET/SDH Ethernet Frame Relay PVC ATM PVCs Subsequent cells
F R A M E
Label
ATM label switching Subsequent cells
Data
C E L L
25
Control Component
Labels can be distributed by several protocols
TDP/LDP from IGP routes RSVP for traffic engineering paths BGP for VPN routes
Responsible for binding between labels and routes: Create label binding (local) Distributing label binding information among Label Switching Routers
26
27
28
MPLS: Forwarding
29
MPLS: Forwarding
Existing routing protocols (e.g. OSPF, IGRP) establish routes
30
MPLS: Forwarding
Label Distribution Protocol (e.g., LDP) establishes label to routes mappings
31
MPLS: Forwarding
Label Distribution Protocol (e.g., LDP) creates LFIB entries on LSRs
IN OUT I/F MAC 16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc IN OUT Null Null I/F MAC E0/0 aa-00-bb E0/1 aa-00-cc
32
MPLS: Forwarding
Ingress edge LSR receives packet, performs Layer 3 value-added services, and label packets
IN OUT I/F MAC 16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc IN OUT Null Null I/F MAC E0/0 aa-00-bb E0/1 aa-00-cc
33
MPLS: Forwarding
LSRs forward labelled packets using label swapping
IN OUT I/F MAC 16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc
34
MPLS: Forwarding
Edge LSR at egress removes remaining label* and delivers packet
IN OUT I/F MAC 16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc IN OUT Null Null I/F MAC E0/0 aa-00-bb E0/1 aa-00-cc
* Pentulimate hop popping actually occurs. There may may not necessarily be a label in the packet at the ultimate or egress LSR.
MPLS Training - Basic 35
36
Traditional Routing
Route Distribution
1 1 0
128.89
You Can Reach 128.89 thru Me You Can Reach 128.89 and 171.69 thru me 2 171.69
37
Traditional Routing
Packet Routing
1 1
Data | 128.89.25.4 Data | 128.89.25.4
0
Data | 128.89.25.4
128.89
Data | 128.89.25.4
2 171.69
MPLS Forwarding
In/Out Label Fields
Out Label Out Label Out Label
1 1 0
128.89
2 171.69
39
1 1 0
128.89
Pop Label for 128.89 Use Label 27 for 128.89 Use Label 29 for 171.69 2 171.69 Use Label 22 for 171.69
40
1 1
Data Data Data Data 128.89.25.4 171.69.21.7 Data 171.69.21.7 22 128.89.25.4 27 171.69.21.7 29
0
Data 128.89.25.4 Data
128.89
128.89.25.4
41
42
Internet Scalability
Out Label Out Label Out Label
1 1 0
Loopback 150.10.1.1 EBGP I can reach 128.89,136.50 156.50,119.10 via the BGP next hop 150.10.1.1 using only label 18!
MPLS Training - Basic
EBGP
171.69 127.18 204.162
43
Loopback 150.10.1.2
44
Key differences:
Label set up: LDP vs ATM Forum Signaling Label granularity: Per-prefix
45
Replace ATM Forum control plane with the MPLS control component:
Network Layer routing protocols (e.g., OSPF, BGP, PIM) + Label Distribution Protocol (e.g., LDP)
46
47
48
Summary
MPLS allows flexible packet classification and network resources optimisation Labels are distributed by different protocols
LDP, RSVP, BGP
Different distribution protocols may co-exist in the same LSR Labels have local (LSR) significance
No need for global (domain) wide label allocation/ numbering
49
Benefits of MPLS
De-couples IP packet forwarding from the information carried in the IP header of the packet Provides multiple routing paradigms (e.g., destination-based, explicit routing, VPN, multicast, CoS, etc) over a common forwarding algorithm (label swapping) Facilitates integration of ATM and IP - from control plane point of view an MPLS-capable ATM switch looks like a router
50
LDP
51
LDP
52
53
LDP Overview
IETF standard protocol RFC 3036
Distributes <label, prefix> bindings for MPLS forwarding along normally routed paths
Runs in parallel with routing protocols Neighbor discovery with UDP (646) Incremental updates over TCP (646) Other label distribution mechanisms can run in parallel Descendent of Cisco proprietary Tag Distribution Protocol (TDP)
54
LDP Introduction
LDP is not the only protocol that can share knowledge about labels:
TDP (Cisco specific)
55
Label Switch Path (LSP) direction ! (Packet ow) ! Source Destination IP-Prefix
Upstream! platform!
Downstream! platform!
56
Terminology
Label Information Base (LIB)
A data structure that holds locally assigned labels and labels learned from LDP peers
57
Label Distribution!
Label Distribution!
S0/2! S0/1! S0/0!
Label Distribution!
156.50.20.0/24
27
156.50.20.0/24
S0/0
156.50.20.0/24
27
85
S0/0
58
Basic Configuration
ip cef mpls ip mpls label protocol ldp mpls ldp router-id loopback0 interface e0/0 ip address 10.10.20.0 255.255.255.0 mpls ip Enables LDP on this interface Use LDP protocol as opposed to TDP
59
Label Space
60
Concepts
LSRs must be able to distinguish between labelled packets
A label corresponds to a particular Forwarding Equivalence Class (FEC)
LSR can distribute the same label/FEC mapping to different neighbours Same label can be assigned to different FECs if and only if the LSR can distinguish the interface from which the packet will arrive
That is, the LSR can identify who the upstream neighbour that inserted the label
61
62
63
ATM 1/3
D 156.50.4.0/24
LFIB on an LSR contains incoming interface.! Labels have to be assigned for individual interfaces.! The same label can be reused (with a different meaning) on different interfaces.! Label allocation is secure LSRs cannot send packets with labels that were not assigned to them.!
MPLS Training - Basic 64
38
Router D
D
X=25!
E X
X=38!
B
LFIB on a LSR does not contain an incoming interface.! The same label can be used on any interface and is announced to all adjacent LSRs.! The label is announced to adjacent LSRs only once and can be used on any link.! Per-platforms label-space is less secure than per-interface label space.!
MPLS Training - Basic 65
66
LDP Identifier
a! b! c! d! LSR ID! LSR ID
The LSR ID is a four byte number that identifies a specific LSR. These four bytes must be unique in the network. Generally they are derived from an interface on the LSR. In IOS (by default) this is the highest IP address, or highest IP address of a loopback if it is available.
Label Space ID
A two byte number that identifies a specific label space on the LSR. The label space id 0x00 is reserved for the platform label space (This is the Cisco default for Frame based MPLS)
LDP Identifier
The six byte concatenation of the LSR ID and LABEL SPACE ID results in the LDP Identifier. This uniquely identifies the label space.
Example: 156.50.10.1:0
MPLS Training - Basic 67
router(config)#mpls ldp router-id loopback0 force Force will change the LSR ID immediately, rather than waiting for reload or current ID being removed
68
LDP Session
Each LDP identifier has a separate LDP session per neighbour
Each LSR label space has its own distinct LDP session Multiple links between adjacent routers use the same session
Each session has its own TCP (646) connection and discovery process.
69
Ethernet! 1.0.0.1:0!
One LDP session is established for each announced LDP identifier (Router ID + Label Space). The number of LDP sessions is determined by the number of different label spaces.
MPLS Training - Basic 70
71
Extended discovery
Non-directly connected LSRs (e.g., across TE path) Targeted hello packets to specific address Discovery is asymmetric (one in each direction)
Once discovery is done, LDP sessions are established over TCP (646)
MPLS Training - Basic 72
B MPLS_B!
1.0.0.2!
NO MPLS !
C NO_MPLS_C!
TCP
43 1.0 (1.0.0.2:10
.0.1:646)!
A MPLS_A!
1.0.0.1!
TCP (1. 0 .0.4:106 5 1.0 .0.1:646 )!
1.0.0.3!
D MPLS_!
1.0.0.4!
LDP Session is established from the LSR with higher transport address. The establishing router is called the Active LSR.
MPLS Training - Basic 73
Extended discovery is asymmetric Once a neighbor is discovered, the mechanism to establish a session is the same.
74
R7!
R1!
118.1.1.1
R6!
R5!
R8!
R9!
Targeted LDP session
R2!
R3 !
R4!
Traffic Engineered Path R1 R8
76
Targeted Configuration
ip cef mpls ip mpls label protocol ldp mpls ldp router-id loopback0 interface tunnel0 tunnel destination 10.20.10.1 mpls ip Enables LDP with target of 10.20.10.1 mpls ldp discovery targeted-hellos accept
If this command is entered then it means that the router will accept and LDP hellos from other end and establish session
77
R6!
R5!
R8!
R9!
TE ! LDP ! Packet !
TE ! LDP ! Packet !
LDP ! Packet !
78
79
1.0.0.1!
1.0.0.2!
Peers first exchange initialization messages. The session is ready to exchange label mappings after receiving the first keepalive.
80
1.0.0.1!
1.0.0.2!
Peers first exchange initialization messages. The session is ready to exchange label mappings after receiving the first keepalive.
81
1.0.0.1!
1.0.0.2!
Peers first exchange initialization messages. The session is ready to exchange label mappings after receiving the first keepalive.
82
1.0.0.1!
1.0.0.2!
Peers first exchange initialization messages. The session is ready to exchange label mappings after receiving the first keepalive.
83
In session establishment, if there is a Init fatal notification, there is an backoff starting at less than 15 seconds and exponentially increasing to 2 minutes. Only the active LSR does this. Hello configuration TLV could be used to speed up session establishment.
84
86
87
Whether labels are distributed regardless if there an outgoing label is available for the prefix Whether received labels are kept on local router Whether labels are distributed if requested
The modes shown here are generally how Router and ATM switches are configured for MPLS
MPLS Training - Basic 88
B X
Label for a prex is allocated and advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination.!
MPLS Training - Basic 89
X = 25!
A B
X = 25!
C E X D
Label for a prex is allocated and advertised to all neighbor LSRs, regardless of whether the neighbours are upstream or downstream LSRs for the destination.!
MPLS Training - Basic 90
RQ X!
B C D E X
A LSR can always assign a label for a prex, even if it has no downstream label. ! Independent control can only be used for LSRs with layer-3 capabilities.!
MPLS Training - Basic 91
RQ X!
B C D E X
LFIB on Router C
Destination X IN Label X = 25! OUT Label Next Hop 37 Router E
A LSR can always assign a label for a prex, even if it has no downstream label. ! Independent control can only be used for LSRs with layer-3 capabilities.!
MPLS Training - Basic 92
RQ X!
B C D E X
X=37!
LFIB on Router C
Destination X IN Label X = 25! OUT Label Next Hop 37 Router E
A LSR can always assign a label for a prex, even if it has no downstream label. ! Independent control can only be used for LSRs with layer-3 capabilities.!
MPLS Training - Basic 93
RQ X!
B C
RQ X!
D
RQ X!
E
X=37!
Destination X
X=17!
LFIB on Router C
X=82!
A LSR can only assign a label if it has already received a label from the next-hop LSR; otherwise it must request a label from the next-hop LSR. Used in IP+ATM switches!
MPLS Training - Basic 94
X = 25!
A B
X = 25!
C E X D
Every LSR stores the received label in its LIB, even when the label is not received from a next-hop LSR.! Liberal retention mode improves convergence speed.!
MPLS Training - Basic 95
X = 25!
A B
X = 25!
C E X D
LSR stores only the labels received from next-hop LSRs; all other labels are ignored.! Downstream-on-demand distribution is required during the convergence phase.!
MPLS Training - Basic 96
97
VPN Concepts
100
What is an MPLS-VPN?
An IP network infrastructure delivering private network services over a public infrastructure
Use a layer 3 backbone Scalability, easy provisioning Global as well as non-unique private address space QoS Controlled access Easy configuration for customers
101
VPN Models
There are two basic types of design models that deliver VPN functionality Overlay Model Peer Model
102
Transparency between provider and customer networks Optimal routing requires full mesh over over backbone
103
104
105
106
107
VPN-C!
VPN-A!
Site-2! Site-3!
VPN-B!
A site belonging to different VPNs may or MAY NOT be used as a transit point between VPNs If two or more VPNs have a common site, address space must be unique among these VPNs
MPLS Training - Basic 108
The customer router connecting to the VPN backbone is called the Customer Edge (CE) PE routers are faced to CE routers and distribute VPN information through MP-BGP to other PE routers
VPN-IPv4 addresses, Extended Community, Label
P routers do not run MP-BGP and do not have any VPN knowledge
MPLS Training - Basic 109
ELSR
ELSR
ELSR
ELSR
LSR
LSR
110
PECE Routing
111
PE-CE Routing
CE1 PE CE2
PE-CE routing!
PE and CE routers exchange routing information through eBGP, Static, OSPF, ISIS, RIP, EIGRP The CE router runs standard routing software, not aware it is connected to a VPN network
MPLS Training - Basic 112
Routing processes
BGP
RIP
Static
Routing processes run within specific routing contexts
Routing contexts
BGP 1
BGP 2
BGP 3
RIP 1
RIP 2
Populate specific VPN routing table and FIBs (VRF) Interfaces are assigned to VRFs"
114
Routing processes
OSPF
OSPF
OSPF
With OSPF there is a single process per VRF Same for IS-IS No routing contexts Prior to 12.0(27)S and 12.3(4)T maximum of 28 processes allowed
Routing contexts
VRF Site A
VRF Site B
VRF Site C
115
Routing Tables
116
Routing Tables
CE1
VRF!
PE CE2
PE-CE routing! VPN Backbone IGP (OSPF, ISIS)!
PE1
P1
P2
PE2
CE3 CE4
LFIB for P1
Dest PE2 P2 PE1 Next Hop P2 E0/2 S3/0 IN 50 65 67 OUT 34 POP POP
LFIB for P2
Dest PE2 P1 PE1 Next Hop P1 E0/1 P1 IN 34 38 39 OUT POP POP 67
All routers (P and PE) run an IGP and label distribution protocol Each P and PE router has routes for the backbone nodes and a label is associated to each route MPLS forwarding is used within the core
MPLS Training - Basic 118
PE1
P1
P2
PE2
CE3 CE4
Multiple routing tables (VRFs) are used on PEs Each VRF contain customer routes Customer addresses can overlap VPNs are isolated Multi-Protocol BGP (MP-BGP) is used to propagate these addresses + labels between PE routers only
MPLS Training - Basic 119
PE1
P1
P2
PE2
CE3 CE4
PE1
P1
P2
PE2
CE3 CE4
What if two customers use the same address? BGP will propagate only one route - PROBLEM !!! Therefore MP-BGP must DISTINGUISH between customer addresses
MPLS Training - Basic 121
PE1
P1
P2
PE2
CE3 CE4
When PE router receives VPN routes from MP-BGP how do we know what VRF to place route in? How do we distinguish overlapping addresses between two VPNs
122
x x
CE1 CE2
PE1
P1
P2
PE2
CE3 CE4
MP-iBGP session! update X ! update X ! VPN-IPv4 updates are translated into IPv4 address and inserted into the VRF corresponding to the RT value
MP-BGP prepends an Route Distinguisher (RD) to each VPN route in order to make it unique MP-BGP assign a Route-Target (RT) to each VPN route to identify VPN it belongs to (or CUG)
Route-Target is the colour of the route
MPLS Training - Basic 123
x x
CE1 CE2
PE1
P1
P2
PE2
CE3 CE4
MP-iBGP session! update X ! update X ! VPN-IPv4 updates are translated into IPv4 address and inserted into the VRF corresponding to the RT value
Multi-Protocol BGP
Propagates VPN routing information
Customer routes held in VPN Routing and Forwarding tables (VRFs)
125
Forwarding Example
126
TDP/LDP
Distributes label information for IP destinations in core
MP-BGP4
Used to distribute VPN routing information between PEs
RIPv2/BGP/OSPF/eiGRP/ISIS/Static
Can be used to route between PE and CE
127
VPN Components
VRF Tables
Hold customer routes at PE
Route-Distinguisher
Allows MP-BGP to distinguish between identical customer routes that are in different VPNs
Route-Targets
Used to import and export routes between different VRF tables (creates Intranets and Extranets)
Route-maps
Allows finer granularity and control of importing exporting routes between VRFs instead of just using route-target
MPLS Training - Basic 128
= RT? PE
CE
PE CE RD +
RR
PE CE
Import routes into VRF if route-targets match (export = import) Customer routes placed into separate VRF tables at each PE IGP (OSPF,ISIS) used to establish reachability to destination networks. Label Distribution Protocol establishes mappings to IGP addresses CE-PE dynamic routing (or static) populate the VRF routing tables MP-BGP between PE router to distribute routes between VPNs
MPLS Training - Basic
129
L2 Header
Label 1
Label 2
L3 Header
Data
CE PE P CE PE
Swap IGP Label (From LFIB) Push VPN Label (Red Route) Push IGP Label (Green PE Router)
MPLS Training - Basic
CE PE P CE PE
POP IGP Label (Pentultimate Hop)
VPN Topologies
132
F FF FF F
Finance Site 1 MPLS Core
F FF FF F
F FF FF F
Finance Site 2
VRF
MP-BGP VPNv4 updates propagated between PEs Routing is optimal in the backbone
No site is used as central point for connectivity
MPLS Training - Basic 133
E E E
D E
D D D
VRF EB EB D EB D D D D
Basic Extranet Routes can be imported directly into corresponding VRF NAT may be necessary if Enterprise have overlapping addressing Import granularity can be very fine
Single host address can be imported as Extranet route
MPLS Training - Basic 134
VRF
S3 S1h X S2h
S1 S2h X S3h
Central HQ
VRF
S1
Forces all branches through the Central HQ Spokes cannot communicate directly Appropriate security screening can be applied Firewalls can be used with NAT to ensure correct return path
MPLS Training - Basic 135
D3
Internet
Legal Only
D2
S M Gateway 2
Internet
Marketing
M M M D1 S MI 1
Internet
Gateway 1
Choose appropriate Internet Gateway per group requirements Use other gateways as backup in case of failure Gateways can provide different service attributes/levels
Speed of access Type of Content accessed Address translation if required
MPLS Training - Basic 136
Another model could use default route pointing to gateway in the global table
This assumes that customer uses registered address space
137
S1 C S2 C C S3 VRF S1 C CC S2 C CC
S1 C S2 C C S3 Site 3
Site 1
MPLS Core
S3 C CC
Site 2
Disaster recovery can be provided to each site in the Enterprise If Primary site fails, Backup site takes over with no intervention Virtualisation/Mirroring takes place between Primary/Secondary
MPLS Training - Basic 138
139
CE-VPN-A
VPN B!
PE Router!
CE-VPN-B
10.1.1.0/24!
Routing Information Protocol (RIP) is running in both VPNs.! RIP in VPN A has to be different from RIP in VPN B, but Cisco IOS software supports only one RIP process per router.!
141
142
143
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
Two VPNs attached to the same PE router! Each VPN represented by a VRF (VRF-A and VRF-B)! RIP and BGP running between PE and CE routers!
MPLS Training - Basic 144
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
RIP-speaking CE routers announce their prexes to the PE router via RIP.! Instance of RIP process associated with the VRF into which the PE-CE interface belongs collects the routes and inserts them into VRF routing table.!
MPLS Training - Basic 145
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
BGP-speaking CE routers announce their prexes to the PE router via BGP.! Instance of BGP process associated with the VRF into which the PE-CE interface belongs collects the routes and inserts them into VRF routing table.!
MPLS Training - Basic 146
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
RIP routes entered in the VRF routing table are redistributed into BGP for further propagation into the MPLS VPN backbone.! Redistribution between RIP and BGP has to be congured for proper MPLS VPN operation.!
MPLS Training - Basic 147
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
Route distinguisher is prepended during route export to the BGP routes from VRF instance of BGP process to convert them into VPNv4 prexes. Route targets are attached to these prexes.! VPNv4 prexes are propagated to other PE routers.!
MPLS Training - Basic 148
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
VPNv4 prexes are received from other PE routers.! The VPNv4 prexes are inserted into proper VRF routing tables based on their route targets and import route targets congured in VRFs.! Route distinguisher is removed during this process.!
MPLS Training - Basic 149
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
Routes received from backbone MP-BGP and imported into a VRF are forwarded as IPv4 routes to EBGP CE neighbors attached to that VRF.!
MPLS Training - Basic 150
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
MP-IBGP routes imported into a VRF are redistributed into the instance of RIP congured for that VRF.! Redistribution between BGP and RIP has to be congured for end- to-end RIP routing between CE routers.!
MPLS Training - Basic 151
CE-RIP-B
!
Instance for VRF-B!
CE-BGP-B
Routes redistributed from BGP into a VRF instance of RIP are sent to RIP-speaking CE routers.!
152
153
154
ip vrf name
!!
Creates a new VRF or enters conguration of an existing VRF.! VRF names are case-sensitive.! VRF is not operational unless you congure RD.! VRF names have only local signicance.!
router(cong-vrf)#"
rd route-distinguisher!
Assigns a route distinguisher to a VRF.! You can use ASN:xx or A.B.C.D:xx format for RD.! Each VRF in a PE router has to have a unique RD.!
MPLS Training - Basic 155
route-target export RT
!!
Species an RT to be attached to every route exported from this VRF to MP-BGP! Allows specication to many export RTsall to be attached to every exported route!
router(cong-vrf)#"
Species an RT to be used as an import lteronly routes matching the RT are imported into the VRF! Allows specication of many import RTsany route where at least one RT attached to the route matches any import RT is imported into the VRF!
156
In cases where the export RT matches the import RT, use this form of route-target command.!
!!
Associates an interface with the specied VRF! Existing IP address removed from the interface when interface is put into VRFIP address must be recongured! CEF switching must be enabled on interface! Sample router conguration:!
ip cef ! interface serial 0/0 ip vrf forwarding Customer_ABC ip address 10.0.0.1 255.255.255.252
MPLS Training - Basic 158
CE-BGP-A1!
CE-BGP-A2!
PE-Site-X!
CE-RIP-B1!
PE-Site-Y!
CE-RIP-B2!
The network supports two VPN customers. Customer A runs RIP and BGP with the service provider; customer B uses only RIP. Both customers use network 10.0.0.0.
159
CE-RIP-A2!
CE-BGP-A1!
PE-Site-X!
CE-RIP-B1!
! ip vrf Customer_B CE-BGP-A2! rd 115:47 route-target both 115:47 PE-Site-Y! ! interface serial 1/0/1 CE-RIP-B2! ip forwarding vrf Customer_A ip address 10.1.0.1 255.255.255.252 ! interface serial 1/0/2 ip vrf forwarding Customer_A ip address 10.1.0.5 255.255.255.252 ! interface serial 1/1/3 ip vrf forwarding Customer_B ip address 10.2.0.1 255.255.255.252
160
Configuring MP-BGP
161
Address families (routing contexts) are used to configure these three tasks in the same BGP process.
162
!!
address-family vpnv4
!!
!!
BGP Neighbors
MP-BGP neighbors are configured under the BGP routing process.
These neighbors need to be activated for each global address family they support. Per-address-family parameters can be configured for these neighbors.
164
Configuring MP-BGP
MPLS VPN MP-BGP configuration steps:
Configure MP-BGP neighbor under BGP routing process Configure BGP address family VPNv4 Activate configured BGP neighbor for VPNv4 route exchange Specify additional parameters for VPNv4 route exchange (filters, next hops, and so forth)
165
Configuring MP-IBGP
router(cong)#"
router bgp AS-number! neighbor IP-address remote-as AS-number! neighbor IP-address update-source loopback-interface
!!
All MP-BGP neighbors have to be congured under global BGP routing conguration.! MP-IBGP sessions have to run between loopback interfaces.!
router(cong-router)#"
address-family vpnv4!
Starts conguration of MP-BGP routing for VPNv4 route exchange.! Parameters that apply only to MP-BGP exchange of VPNv4 routes between already congured IBGP neighbors are congured under this address family.!
MPLS Training - Basic 166
Configuring MP-IBGP
router(cong-router-af)#"
!!
The BGP neighbor dened under BGP router conguration has to be activated for VPNv4 route exchange.!
router(cong-router-af)#"
The next-hop-self command must be congured on the MP-IBGP session for proper MPLS VPN conguration if EBGP is being run with a CE neighbor.!
MPLS Training - Basic 167
!!
This command congures propagation of standard and extended BGP communities attached to VPNv4 prexes.! Default value: only extended communities are sent.! Extended BGP communities attached to VPNv4 prexes must be exchanged between MP-BGP neighbors for proper MPLS VPN operation.! To propagate standard BGP communities between MP-BGP neighbors, use the both option.!
168
CE-BGP-A1!
CE-BGP-A2!
PE-Site-X!
CE-RIP-B1!
PE-Site-Y!
interface loopback 0 ip address 172.16.1.1 255.255.255.255 CE-RIP-B2! ! router bgp 115 neighbor 172.16.1.2 remote-as 115 neighbor 172.16.1.2 update-source loopback 0 ! address-family vpnv4 neighbor 172.16.1.2 activate neighbor 172.16.1.2 next-hop-self neighbor 172.16.1.2 send-community both
169
!!
Exchange of IPv4 routes between BGP neighbors is enabled by defaultevery congured neighbor will also receive IPv4 routes! This command disables default exchange of IPv4 routesneighbors that need to receive IPv4 routes have to be activated for IPv4 route exchange! Use this command when the same router carries Internet and VPNv4 routes and you dont want to propagate Internet routes to some PE neighbors.!
170
router bgp 12703 no bgp default ipv4 unicast neighbor 172.16.32.14 remote-as 12703 neighbor 172.16.32.15 remote-as 12703 neighbor 172.16.32.27 remote-as 12703 ! Activate IPv4 route exchange neighbor 172.16.32.14 activate neighbor 172.16.32.27 activate ! Step#2 VPNv4 route exchange address-family vpnv4 neighbor 172.16.32.15 activate neighbor 172.16.32.27 activate
MPLS Training - Basic 171
172
173
router bgp AS-number! address-family ipv4 vrf vrf-name! ... Per-VRF BGP denitions ...
!!
Per-VRF BGP context is selected with the address-family command.! CE EBGP neighbors are congured in VRF context, not in the global BGP conguration.!
router(cong)#"
router rip! address-family ipv4 vrf vrf-name! ... Per-VRF RIP denitions ...! Similar to BGP, select per-VRF RIP context with the address-family command.! Congure all per-VRF RIP parameters therestarting with network numbers.!
MPLS Training - Basic 174
175
router bgp 65001 VPN Backbone! neighbor 10.200.1.2 remote-as 115 CE-RIP-A2 network 10.1.0.0 mask 255.255.0.0 !
CE-BGP-A1!
CE-BGP-A2!
PE-Site-X!
CE-RIP-B1!
PE-Site-Y!
CE-RIP-B2!
router bgp 115 ! address-family ipv4 vrf Customer_A neighbor 10.200.1.1 remote-as 65001 neighbor 10.200.1.1 activate
MPLS Training - Basic 176
177
router rip! address-family ipv4 vrf vrf-name! redistribute bgp metric transparent
!!
BGP routes have to be redistributed back into RIP if you want to have end-to-end RIP routing in the customer network.! The RIP hop count is copied into BGP multi-exit discriminator attribute (default BGP behavior).! The RIP hop count has to be manually set for routes redistributed into RIP.! With metric transparent option, BGP MED is copied into the RIP hop count, resulting in a consistent end-to-end RIP hop count.!
MPLS Training - Basic 178
CE-BGP-A1!
CE-BGP-A2!
PE-Site-X!
CE-RIP-B1!
PE-Site-Y!
router rip CE-RIP-B2! version 2 address-family ipv4 vrf Customer_ABC network 10.0.0.0 redistribute bgp 12703 metric transparent ! router bgp 12703 address-family ipv4 vrf Customer_ABC redistribute rip
179
180
router ospf process-id vrf name! ... Standard OSPF parameters ...!
This command congures the per-VRF OSPF routing process.! Sample router conguration:!
router ospf 123 vrf Customer_ABC network 0.0.0.0 255.255.255.255 area 0 redistribute bgp 12703 ! router bgp 12703 address-family ipv4 vrf Customer_ABC redistribute ospf 123
MPLS Training - Basic 181
!!
This command congures per-VRF static routes. ! The route is entered in the VRF table.! On Ethernet Interfaces, you must specify the the next hop as well as the outgoing interface! Sample router conguration:!
ip route vrf Customer_ABC 10.0.0.0 255.0.0.0 10.250.0.2 ethernet 0/0 ! router bgp 12703 address-family ipv4 vrf Customer_ABC redistribute static
MPLS Training - Basic 182
183
Monitoring VRF
router#"
show ip vrf
!!
!!
!!
show ip vrf
Router#show ip vrf Name SiteA2 SiteB SiteX Router# Default RD 103:30 103:11 103:20 Interfaces Serial1/0.20 Serial1/0.100 Ethernet0/0
185
Protocol up up up
187
!!
!!
!!
189
rest deleted
190
191
192
router#"
!!
Displays global BGP neighbors and the protocols negotiated with these neighbors!
193
195
!!
Displays only BGP parameters (routes or neighbors) associated with specied VRF! Any BGP show command can be used with these parameters!
router#!
Displays only BGP parameters (routes or neighbors) associated with specied RD!
MPLS Training - Basic 196
197
198
!!
!!
!!
The show ip cef command can also display the label stack associated with the MP-IBGP route.
MPLS Training - Basic 200
Router#show tag-switching forwarding vrf SiteA2 Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 37 Untagged 203.1.2.1/32[V] 0 MAC/Encaps=0/0, MTU=1504, Tag Stack{} VPN route: SiteA2 Per-packet load-sharing
201
!!
202
MPLS Troubleshooting
203
FORWARDING Plane
Involves FIB, LFIB, etc.
204
Each of these protocols can distribute a label for IPv4 prefixes Enabling MPLS meansthe ability to send/receive MPLS packets on an interface
205
206
207
Forwarding Plane
208
Once labels are exchanged, LIB is built LIB and FIB together helps to build LFIB
209
Tx Hello (PE1:0)
PE1!
MPLS Training - Basic
Rx Hello (PE2:0)
PE2!
210
Tx Hello (PE1:0)
PE1!
MPLS Training - Basic
Rx Hello (PE2:0)
PE2!
211
212
213
Serial2/0
IP Yes (ldp) Tunnel No Operational Yes
PE2!
P1!
! interface Serial2/0 description To P1 ser2/0 ip address 10.13.2.6/30 mpls label protocol ldp tag-switching ip tag-switching mtu 1508 !
MPLS Enabled
PE2#sh mpls interface ser2/0 detail Interface Serial2/0: IP labeling enabled (ldp) LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 1508 PE2#
LDP Enabled
MPLS MTU
215
MPLS is Operational. LDP not enabled LDP not enabled BGP+Label Enabled
RSP-PE-SOUTH-6#sh mpls int ATM1/1/0.108 de Interface ATM1/1/0.108: IP labeling not enabled LSP Tunnel labeling not enabled BGP tagging enabled Tagging operational Optimum Switching Vectors: IP to MPLS Feature Vector MPLS Feature Vector Fast Switching Vectors: IP to MPLS Fast Feature Switching Vector MPLS Feature Vector MTU = 4470 RSP-PE-SOUTH-6#
MPLS MTU
216
LDP INITIALIZATION, KEEPALIVE and ADDRESS messages are exchanged to establish LDP session LSR_ID (Transport address) MUST be IP reachable
LDP Session Hello
PE1!
10.13.1.61/32
Hello
P1!
10.13.1.101/32
217
The LSR_ID is a four byte number that identifies a specific LSR. It is derived from an interface on the LSR. By default, it is the highest IP address, or highest IP address of a loopback if its available.
Label_Space_Id
A two byte number that identifies a specific label space on the LSR. 0x00 is reserved for the platform label space (i.e. frame-mode MPLS). Non-zero refers to the interface label space (i.e. cell-mode MPLS).
218
10.13.1.61.646
ESTAB
219
220
PE1!
P1!
10.13.1.101/32
221
10.13.1.61/32
Oh ok. Per RIB, 10.13.1.101 is the next-hop for 10.13.1.62/32. I have to use label 2001 in LFIB.
PE1!
E0/0 E0/1
P1!
10.13.1.101/32
10.13.1.62/32
mpls forwarding 10.13.1.62 Outgoing Prefix tag or VC or Tunnel Id 2001 10.13.1.62/32 2001 10.13.1.62/32
222
223
Forwarding Plane
224
RIB/FIB/LIB/LFIB
RIB is the Routing Information Base that is analogous to the ip routing table FIB aka CEF is Forwarding information base that is derived from the ip routing table LIB is Label Information Base that contains all the label bindings learned via LDP LFIB is Label Forwarding Information Base that is derived from FIB entries and corresponding LIB entries Lets go through the pictorial view
225
Forwarding plane
Incoming IP Packet
Managed by CEF
227
Forwarding Plane
228
2. Check whether correct local LSR_ID is used on both LSRs (sh mpls ldp disc)
sh mpls ldp discovery2nd line in output
229
6. Untagged outgoing label for /32 routes i.e. PEs loopbacks is almost always alarming
sh mpls ldp bind <prefix> <mask>
PE1#sh mpls ldp bind 10.13.1.62 32 tib entry: 10.13.1.62/32, rev 16 local binding: tag: 17 remote binding: tsr: 10.13.1.101:0, tag: 2001 PE1#
MPLS Training - Basic 230
231
Forwarding Plane
232
233
PE1!
P1!
10.13.1.101/32
PE1#sh mpls ldp discovery Local LDP Identifier: 10.13.1.61:0 Discovery Sources: Interfaces: ATM1/1/0.108 (tdp): xmit PE1#
Why no recv?
P1#sh mpls ldp discovery Local LDP Identifier: 10.13.1.101:0 LDP Discovery Sources: Interfaces: ATM2/0.108(ldp): xmit P1#
Why no recv?
TDP
LDP
PE1!
P1!
10.13.1.101/32
P1#sh mpls ldp discovery Local LDP Identifier: 10.13.1.101:0 LDP Discovery Sources: Interfaces: ATM2/0.108: xmit/recv LDP Id: 10.13.1.61:0; no route P1# P1#sh ip route 10.13.1.61 % Network not in table P1#
TIPCheck for IP reachability to LDP_ID; Fix It by Letting PE1 Advertise 10.13.1.61/32 via IGP to P1
MPLS Training - Basic 235
PE1!
P1!
10.13.1.48/32
P1#sh mpls ldp neighbor 10.13.1.41 oops P1# P1#sh mpls ldp discovery Local LDP Identifier: Ok. 10.13.1.48:0 Gi3/0/0.44 (ldp): xmit/recv LDP Id: 10.13.1.41:0 P1# P1#sh ip route 10.13.1.41 Routing entry for 10.13.0.0/22 Ouchhh Known via "bgp 30000", distance 200, metric 0 Tag 1, type internal Last update from 10.13.1.251 20:10:38 ago Routing Descriptor Blocks: * 10.13.1.251, from 10.13.1.40, 20:10:38 ago Route metric is 0, traffic share count is 1 AS Hops 5 P1#
Ok.
236
PE1!
P1!
10.13.1.48/32
PE1#ping 10.13.1.48 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.13.1.48, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms PE1#
P1#ping 10.13.1.41 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.13.1.41, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) P1#
Eeeekks !! It is an IP problem.
TIPCheck for IP connectivity first. Unless Layer3 is up, Layer4 (TCP session for LDP) wont come up.
MPLS Training - Basic 237
PE1!
Pos4/1/0
P1!
But there is a RIB entry. Lets check FIB entry -
11.10.128.138
238
PE1!
Pos4/1/0
P1!
Pos0/0 11.10.128.138
TIPIf Local Label for a Prefix Is Not Same in FIB and LIB, Then Issue clear ip route <prefix> to fix
MPLS Training - Basic 239
240
No Local Binding
LDP doesnt allocate labels for the BGP learned IPv4 routes.
241
242
244
246
Label
EXP S
TTL
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
247
Routers always makes forwarding-decision based on the topmost label i.e. label1 belowMAC Label1 Label2 Label3 Layer 3
Label stack
248
Outgoing label also conveys what treatment the packet is going to get; it could also be
Pop Untagged Aggregate 0 Pops the topmost label Untag the incoming MPLS packet Untag and then do a FIB lookup Nullify the top label (first 20bits)
Pop
Pop the top label from the label stack present in an incoming MPLS packet and forward it as an MPLS packet.; if there was only one label in the stack, then forward it as an IP packet; SAME as imp-null label
Aggregate
Convert the incoming MPLS packet to an IP packet and then do a FIB lookup for it to find out the outgoing interface
0 (zero)
Same as exp-null label; simplify fills 0 in the first 20 bits of label; helps to preserve the EXP value of the top label
251
253
PE1 does a FIB lookup for the incoming IP packet It imposes the label (if there is one) For troubleshooting, look at the FIB (not LFIB)
PE1#sh ip cef 1.1.1.0 1.1.1.0/30, version 25, epoch 0, cached adjacency 10.13.1.5 0 packets, 0 bytes tag information set local tag: 20 fast tag rewrite with Et0/0, 10.13.1.5, tags imposed: {2001} via 10.13.1.5, Ethernet0/0, 0 dependencies next hop 10.13.1.5, Ethernet0/0 valid cached adjacency tag rewrite with Et0/0, 10.13.1.5, tags imposed: {2001} PE1#
254
2001 IP Packet
20
IP Packet
P1 does the LFIB lookup for incoming MPLS packets P1 could swap (or dispose) the label For troubleshooting, look at the LFIB (not FIB)
P1#sh mpls for 1.1.1.0 Local Outgoing Prefix tag tag or VC or Tunnel Id 2001 20 1.1.1.1.0/30 0 P1#
255
20
IP Packet
IP Packet
Typically happen at the edge Could also happen at the PHP router For troubleshooting, look at the LFIB (not FIB)
PE2#sh mpls for 1.1.1.0 Local Outgoing Prefix tag tag or VC or Tunnel Id 20 Untagged 1.1.1.1.0/30 PE2#
256
But the dest must be known in the FIB table, otherwise the command wont work
Wont work on P routers for the VPN prefixes
258
260
Label imposition(s) increases the packet size by 4 bytes/label, hence the outgoing packet size may exceed interface MTU size, hence the need to tune MTU Q is: which MTU to tune in MPLS network?
261
262
263
264
265
267
Detail Is Optional
Next Hop 10.13.7.33
MRU Max Receivable Unit. The received packet will be transmitted unfragmented on Fa1/1/1, if its size is not more than 1500B.
14/18 means that the L2 header is of 14 bytes, but L2+label header is 18 bytes (one label is 4 bytes)
268
269
271
6. Check that the LFIBs outgoing label is same as the incoming label in neighbors LFIB 7. Check the LSP via traceroute that shows labels used by each router in the path **
traceroute <prefix>
272
IP
Ethernet0/0
Address 10.13.1.5(6) 0 packets, 0 bytes AABBCC006500AABBCC0001008847 mpls adj never Epoch: 0 10.13.1.5(35) 0 packets, 0 bytes AABBCC006500AABBCC0001000800 ARP 03:46:13 Epoch: 0
L2 header for IP
PE1#
273
274
275
lsr: 10.13.1.61:0 lsr: 10.13.1.62:0 lsr: 10.13.1.62:0 lsr: 10.13.1.61:0 lsr: 10.13.1.62:0 lsr: 10.13.1.61:0 lsr: 10.13.1.62:0 lsr: 10.13.1.61:0
Next Hop
Interface
2611-CE-30#sh ip cef 10.13.1.74 10.13.1.74/32, version 43, epoch 0, cached adjacency 5.5.5.14 0 packets, 0 bytes tag information set local tag: BGP route head fast tag rewrite with Recursive rewrite via 217.60.217.2/32, tags imposed {23} via 217.60.217.2, 0 dependencies, recursive next hop 5.5.5.14, Ethernet0/0.2 via 217.60.217.2/32 valid cached adjacency tag rewrite with Recursive rewrite via 217.60.217.2/32, tags imposed {23} 2611-CE-30#
Problem with the 217.60.217.2. Check its label binding in FIB/ LIB.
277
(a) usually turns out to be a LDP problem, and should be fixed by investigating into LDP (b) could be fixed by clear ip route <prefix> or clear ip bgp *
278
279
280
281
282
Tip
Make Sure that export RT Sh ip vrf detail <X> at the Advertising PE <vrf> | inc Export | Matches with import RT Import | RT <X> at the Receiving PE Validate the Match/Set sh ip vrf de <vrf> | Clause within the Export- inc route-map; Map or Import-Map (if Any) sh route-map <map> If BGP Is Not the Chosen PE-CE Protocol, then Validate BGP->IGP Redistribution Check whether the Remote PE Is Configured as the rr-client within VPNv4 af at the RouteReflectors sh run | b router <igp>
283
Tip
Make Sure that the RouteReflectors and PEs Are Configured to Send ExtCommunity towards the iBGP Peers within the VPNv4 af Check the Label Information in BGP and LFIB at the Advertising PE Router Check the Label Information in BGP and FIB at the Receiving PE Router
5
VPNv4 Traffic Is Not Getting Forwarded End-to-End
sh ip bgp vpn vrf <vrf> label | inc <prefix> sh mpls for vrf <vrf> | inc <prefix>
6
VPNv4 Traffic Is Not Getting Forwarded End-to-End
sh ip bgp vpn vrf <vrf> label | inc <prefix> sh ip cef vrf <vrf> <prefix>
284
285
Agenda
Control Plane
Control Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Forwarding Plane
Dissecting LFIB Load sharing in MPLS VPN Networks Forwarding Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Conclusion
MPLS Training - Basic 286
PE1
Ser2/0
CE1
Loop0:10.13.1.61/32
TIP: Label allocation is done by BGP. So make sure the prefix is in the BGP VRF table. Hintredistribute connected
287
PE1
Ser2/0
CE1
Loop0:10.13.1.61/32
PE1#sh ip bgp vpn vrf v1 label | i 200.1.61.4 200.1.61.4/30 0.0.0.0 30/nolabel PE1# PE1#sh mpls forwarding vrf v1 | i 200.1.61.4 30 Aggregate 200.1.61.4/30[V] 0 PE1#
As soon as BGP gets the VPN prefix, it allocates the local label, and installs the prefix+label in both BGP and LFIB
288
289
RR1
CE1
PE2#sh ip bgp vpn vrf v1 200.1.61.4 % Network not in the table PE2# PE2#sh ip vrf de v1 | beg Import No Import VPN route-target communities No import route-map No export route-map PE2#
PE2
Loop0:10.13.1.62/32
CE-2
TIP: Validate route-target import config at PE2. If not present, then configure it; Check for import-map as well
290
PE1
Ser2/0 Loop0:10.13.1.61/32
CE1
PE2#sh ip bgp vpn vrf v1 200.1.61.4 % Network not in the table PE2#
PE2
Loop0:10.13.1.62/32
CE-2
We already fixed PE2; so lets go to PE1 Validate Route-target export in the VRF at the PE1
291
Ooops..RT Is Missing
Ser2/0
PE1
Loop0:10.13.1.61/32
CE1
Loop0:10.13.1.62/32
CE-2
TIP: Configure Route-target export in the VRF on the local PE i.e. PE1 Lets make sure that RT is getting tagged to the VPNv4 prefix
292
MPLS VPN Ctrl PlaneTrouble #4 (Cont.) AS#1 MPLS CE1 Backbone RT is getting tagged
RR1 PE1#sh ip bgp vpnv4 vpn vrf v1 200.1.61.4 PE2 BGP routing table entry for 1:1:200.1.61.4/30, version 10 Paths: (2 available, best #2, table v1) Ser2/0 Advertised to non peer-group peers: 10.13.1.21 200.1.61.6 Loop0:10.13.1.61/32 Local 0.0.0.0 from 0.0.0.0 (10.13.1.61) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:1:1 PE1# PE1
Extra-TIP If export or import map are also configured, then check the RT in set clause, along with the match clause
293
Loop0:10.13.1.61/32
CE1
RR1 is indeed receiving the prefix from PE1 Make sure that RR is configured with neighbor <PE2> send-community extended under vpnv4 address-family
294
RR1#sh run | inc send-community ext neighbor 10.13.1.61 send-community extended PE1# RR1#sh run | inc send-community ext neighbor 10.13.1.61 send-community extended neighbor 10.13.1.62 send-community extended PE1# RR1
CE1
PE2
Loop0:10.13.1.62/32
CE-2
TIP: All the MP-BGP peers must be configured with send-community extended|both Also make sure that PE1 and PE2 are configured as route-reflector-client under vpnv4 af at the RR1
295
MPLS VPN Control PlaneTrouble #6 #6: Remote PE (PE2) STILL doesnt get the VPNv4 prefix from PE1 AS#1 MPLS Backbone
PE2#sh ip vrf detail v1 | i Import Import route-map: raj-import PE2# PE2#sh route-map raj-import RR1 route-map raj-import, permit, sequence 10 PE1 PE2 Match clauses: extcommunity (extcommunity-list filter):1 Ser2/0 Set clauses: Loop0:10.13.1.62/32 Policy 200.1.61.4/30matches: 0 packets, 0 bytes routing Loop0:10.13.1.61/32 PE2# PE2#sh ip extcommunity-list 1 CE1 Extended community standard list 1 PE2#sh ip bgp vpn vrf v1 200.1.61.4 deny RT:1:1 % Network not in the table deny RT:2:2 PE2# PE2#
CE-2
Hmm we have already verified PE1 and RR1; something must be missing on PE2 then Lets check for any import-map at PE2 again
296
PE1
Ser2/0 Loop0:10.13.1.61/32
CE1
PE#clear ip bgp * vpnv4 unicast in PE2#sh ip bgp vpnv4 vrf v1 200.1.61.4 BGP routing table entry for 1:1:200.1.61.4/30, version 180 Paths: (1 available, best #1, table v1) Advertised to non peer-group peers: 200.1.62.6 Local 10.13.1.61 (metric 75) from 10.13.1.21 (10.13.1.21) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 Originator: 10.13.1.61, Cluster list: 10.13.1.21 PE2#
PE2
Loop0:10.13.1.62/32
CE-2
TIP: If import-map is configured within the VRF, then import route-target <rt> must be configured within the VRF for the relevant RT
297
MPLS VPN Control PlaneTrouble #7 #7: Label mismatch between BGP and FIB
PE2#sh ip bgp vpnv4 vrf v1 labels | i 200.1.61.4 200.1.61.4/30 10.13.1.61 nolabel/25 RR1 PE2# PE1 PE2#sh ip cef vrf v1 200.1.61.4 200.1.61.4/30, version 64, epoch 0, cached adjacency to Serial2/0 Ser2/0 0 packets, 0 bytes tag information set local tag: VPN-route-head Loop0:10.13.1.61/32 fast tag rewrite with Se2/0, point2point, tags imposed: {2003 20} via 10.13.1.61, 0 dependencies, recursive CE1 next hop 10.13.2.5, Serial2/0 via 10.13.1.61/32 valid cached adjacency tag rewrite with Se2/0, point2point, tags imposed: {2003 20} PE2#
PE2
Loop0:10.13.1.62/32
CE-2
Fix: clear ip route vrf <vrf> <prefix>. If the mismatch doesnt go away, then debug ip bgp vpn and debug mpls lfib cef to dig in.
298
MPLS VPN Control PlaneTrouble #8 #8: Remote PE receives the route, but remote CE doesnt
PE1
router bgp 1 ! address-family ipv4 vrf v1 neighbor 200.1.62.6 as-override exit-address-family !
AS#65000
CE1
Ser2/0
Loop0:10.13.1.61/32
Loop0:5.5.5.5/32
PE2
CE-2 Loop0:10.13.1.62/32
AS#65000
TIP: If eBGP on PE-CE and VPN sites use the same ASN, then configure as-override on the BGP VRF af on both PEs If IGP on PE-CE, then validate BGP->IGP redistribution (within IGP VRF) on the PE
299
2. 3. 4. 5.
300
sh ip ospf <process-id>
Select the VRF associated process-id to see relevant OSPF info (a lot of info)
301
302
Relevant towards RR (or remote PE) peers: clear ip bgp * vpnv4 unicast in
Route-refresh request is sent to all the MP-BGP peers
303
304
305
2. 3.
4.
306
Agenda
Control Plane
Control Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Forwarding Plane
Dissecting LFIB Loadsharing in MPLS VPN Networks Forwarding Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Conclusion
MPLS Training - Basic 307
MRUMax Receivable Unit; The Received Packet Will Be Transmitted Unfragmented on Fa1/1/1, If Received Packets Size Is Not More Than 1500B
MAC header = 0003FD1C828100044E754829 MPLS Ethertype = 0x8847 Label = 0x00033000 = 51 0x00033000 = EXP+S 0x00033000 = MPLS TTL
Although MAC Header Is of 14 Bytes, Actual Encapsulation I.E. MAC+MPLS Header Is of 18 Bytes (One Label Is 4 Bytes)
308
MPLS VPN Forwarding Plane Dissecting LFIB: show mpls forward (Cont.)
VPN Prefix in the LFIB
PE1#sh Local tag 27 mpls for vrf v1 5.5.5.5 detail Outgoing Prefix Bytes tag tag or VC or Tunnel Id switched Untagged 5.5.5.5/32[V] 0 MAC/Encaps=0/0, MRU=1504, Tag Stack{} VPN route: v1 No output feature configured Per-packet load-sharing Outgoing interface Se2/0
PE1 P1 PE2 CE1 5.5.5.5/32
PE1#
Only 1504 Byte Size Packet Can Be Received because 15044 (for One Label 27) = 1500 Is the MTU Size of Se2/0 MAC/Encaps Field Corresponds to the tag adj, and because the VRF Interface Doesnt Typically Have MPLS Enabled, tag adj Is 0; hence, 0/0 Output
309
Agenda
Control Plane
Control Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Forwarding Plane
Dissecting LFIB Load sharing in MPLS VPN Networks Forwarding Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Conclusion
MPLS Training - Basic 310
IP src and dest addresses inside the MPLS packet are hashed to find the right LSP
E1/0
Dont panicIGP label is chosen during the forwarding (depending on the hash-bucket)
MPLS Training - Basic 312
E1/0
IGP Label and the outgoing interface are derived after the hash-bucket is decided
MPLS Training - Basic 313
E1/0
In summary, the show-output in load-sharing case gets bit tricky; but the fundamental is the same
314
P1 E1/0 P3
For VPN traffic, P router hashes the IP src+dest to apply the packet to the correct hash bucket sh ip cef exact-route command cant be used on the P router since it doesnt know the VPN addresses
Hence, rely on (LFIB) counters to make sure the traffic is getting loadshared
315
Just like TTL in the IP header, MPLS header also has a 1-byte TTL field When an IP packet is first labelled at the ingress, the (IP TTL -1) is copied to the MPLS TTL Later, when the label is popped/disposed, the MPLS TTL value of the removed label is copied to the either MPLS TTL of inner label or IP TTL field (if no inner label), provided MPLS TTL < IP TTL.
316
Forwarding Plane
Dissecting LFIB Loadsharing in MPLS VPN Networks Forwarding Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Conclusion
MPLS Training - Basic 317
CE CE Traffic Fails
Verify That the PE PE VPN Traffic Can Pass Using vrf Pings (Assuming the Control Plane Information Has Already Been Verified*)
PE PE MPLS Traffic Fails PE PE IP Traffic Passes, but MPLS Traffic Fails Incoming MPLS Traffic Is Dropped at the Egress PE
Validate the PE->PE IP Connectivity; and then Check for the LSP Find out where Exactly the LSP Is Broken
PE#ping <remotePE>
Check the LFIB Entries on Both RP, LC (and Relevant HW Engines, if Present)
318
Check the MPLS MTU Size of the MPLS Enabled Interfaces and Make Sure It Is More than the Reported Failed MTU Size
Verify that the Ethernet Switch Ports inside the MPLS Core Is Enabled with Baby Giant Support
P1
E0/0 E1/0 Ser2/0
PE2
200.1.62.4/30
Loop0:10.13.1.61/32
CE1
CE2
FI B
LF PE1#sh mpls for vrf v1 | inc 200.1.61.4 IB PE2#sh mpls for vrf v1 | inc 200.1.62.4
Turn on deb ip icmp on both PEs Step 1: Issue ping vrf v1 <remote_PE-CE_address> on both PEs Step 2: If they pass, then we have verified that the problem is not in the MPLS core
320
PE1
E0/0 E1/0
P1
Ser2/0
PE2
200.1.62.4/30
CE1
5.5.5.5/32
Loop0:10.13.1.61/32
PE1#sh ip cef vrf v1 200.1.62.4 200.1.62.4/30, version 10, epoch 0, per-destination sharing 0 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Recursive rewrite via 10.13.1.62/32, tags imposed {25} via 10.13.1.62, 0 dependencies, recursive next hop 10.13.1.9, Ethernet1/0 via 10.13.1.62/32 valid adjacency tag rewrite with Recursive rewrite via 10.13.1.62/32, tags imposed {25} Recursive load sharing using 10.13.1.62/32. PE1#
PE1
E0/0 E1/0
P1
Ser2/0
PE2
200.1.62.4/30
CE1
5.5.5.5/32
Loop0:10.13.1.61/32
PE1
E0/0 E1/0
P1
Ser2/0
PE2
200.1.62.4/30
CE1
5.5.5.5/32
Loop0:10.13.1.61/32
PE1#deb ip icmp ICMP packet debugging is on PE1# Step 1 PE1#ping vrf v1 200.1.62.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.1.61.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) PE1#
Step 3: Okalthough the vrf pings failed at PE1, ICMP debugs at PE2 confirms that PE1->PE2 LSP is error free Lets ping in the opposite direction to check the PE2 PE1 LSP
MPLS Training - Basic 323
PE1
E0/0 E1/0
P1
Ser2/0
PE2
200.1.62.4/30
CE1
5.5.5.5/32
Loop0:10.13.1.61/32
Since PE1 didnt get/show any ICMP echos for the vrf pings
a) Either PE2 PE1 LSP is broken
324
PE1
E0/0 E1/0
P1
Ser2/0
PE2
200.1.62.4/30
CE1
5.5.5.5/32
Loop0:10.13.1.61/32
Step 4 PE1#ping 10.13.1.62 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.13.1.62, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/57/92 ms PE1#
P1#sh mpls forward Local Outgoing tag tag or VC 2003 Untagged Untagged P1#
Step 5: IP reachability is confirmed between PE1 and PE2 (steps 1 and 2); GOOD; but that doesnt validate the LSP in both directions Step 6: Per P1s LFIB, it doesnt have the right label to reach PE1 (untagged vs. Pop).
MPLS Training - Basic 325
*12.0(26)S Onwards
MPLS Training - Basic 327
Type escape sequence to abort. RRRRR Success rate is 0 percent (0/5) PE1#
PE1#ping mpls ipv4 10.13.1.62/32 Sending 5, 100-byte MPLS Echos to 10.13.1.62/32, timeout is 2 seconds, send interval is 0 msec: Codes: '!' - success, 'Q' - request not transmitted, '.' - timeout, 'U' - unreachable, 'R' - downstream router but not target
Type escape sequence to abort. !!!!! Success rate is 0 percent (0/5) PE1#
328
*12.0(26)S Onwards
MPLS Training - Basic 329
Forwarding Plane
Dissecting LFIB Loadsharing in MPLS VPN Networks Forwarding Plane Troubleshooting Tips Real-life Examples Summary of Helpful Cisco IOS Commands
Conclusion
MPLS Training - Basic 330
331
332
333
Conclusion
MPLS seems cryptic, but it is not Whether to look at FIB or LFIB? Whether it is a BGP or MPLS problem? Whether the problem is within the core or outside the core? Ongoing MPLS OAM work .
334
335
335